Microsoft to Launch Critical Internet Explorer Update

The company confirms a patch for the recently reported IE8 security flaw

IE 10 is one of the versions that are not affected by the flaw

The Redmond-based technology company has just confirmed that it would release an update for Internet Explorer 8 and older versions at approximately 10 a.m. PST on Monday, January 14.

The patch is expected to fix the recently detected security hole in these versions of Microsoft’s in-house browser that would allow an attacker to take control of a vulnerable system with the help of a compromised website.

“We will release an out-of-band security update to fully address the issue described in Security Advisory 2794220. While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future. The bulletin has a severity rating of Critical, and it addresses CVE-2012-4792,” Dustin Childs, group manager, Trustworthy Computing, said in a statement.

Just as we reported last week, the issue doesn’t affect Internet Explorer 9 and 10, so users who can upgrade to these two versions of the browser are recommended to do it as soon as possible.

The patch will be delivered via Windows Update, so users have nothing to do if this feature is enabled on their computers. As for the one-click “Fix it” tool released a couple of weeks ago, Microsoft says that users don’t need to uninstall it before applying the security update.

While security companies across the world have reported that more websites are getting compromised in order to exploit this flaw, Microsoft said it had discovered only a limited number of attacks.

“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft said in a security advisory rolled out on December 29.